Alert Classification

You can update an alert’s classification when you have new or different insights into data. This allows for better and more effective analysis of incidents.

You can download alert classification rules in CSV format, view and create rules, and then upload the rules back to the platform.

Alert Classification Settings

You can download and upload alert classification rules via the Settings menu (Settings > Classification rules).

1. Click Download rules to download the rules in CSV format. You will see the downloaded CSV in the upper right corner of your screen.

2. Open the file to view the rules.
   

3. Fill in the CSV file so that the CDC can set the classification value for the alert. The CSV contains three fields/columns:

• Alert name
• Source name
• Classification value

4. Click Upload rules to upload the rules back to the platform.

Notes:

• Upload files accepts CSV files in the following format (the CSV delimiter could be a comma or semicolon):
  alert_name(partial search),alert_source(full match),classification_to_set

• Uploading new classification rules will override any other existing rules.

• You should not add any additional classifications to the CSV; the existing classifications are the ones that should be used. To add any additional classifications, please contact CyberProof Support.

• When uploading, validate that the alert name or source name is not empty AND the classification value is not empty. This means that the CSV should have at least the following filled in:
  alert name+classification
  OR
  source name+classification

• The CDC checks the alert name using the INCLUDES logic. This means that if the alert name value in the CSV file is "ALERT NAME", then the next values in the alert can be matched:
  "234 kjhdskfjhsdf alert name fdjkskjsdf"
  "alert name kjbsdkvjbaksdvjbasdv"
  "skdjhsd alert name"
  BUT NOT
  "alert 112341234 name"

• The CDC checks that the alert name is using EXACT MATCH logic. This means that the value in the file and system should be totally equal.

• The classification value is set by priority from top to bottom. For one alert, the first match will be processed and the process will stop. The following table shows an example of this:

Changing Alert Classifications

The alert Classification field can be found in the General alerts tab. The classification can be changed here, and you can add a new classification as well. When adding a new classification, it will be automatically added to the list. The value is not case-sensitive.

If the field is updated and the value matches one of the classification settings in the CDC, the CDC will update it; otherwise it will be ignored.

When updating the classification, a message is written in the alert’s chat and timeline. However, updating a classification does not automatically trigger playbooks or the rules mechanism.